How will the FTC's new digital privacy rules impact developers?

About a month back, the Federal Trade Commission handed down a $50,000 fine against W3 Innovations, the parent firm of iOS developer Broken Thumbs Apps, after the company collected children's personal data in games like Zombie Duck Hunt, Truth or Dare, and Emily's Dress Up. The FTC alleges that Broken Thumbs titles "collected, maintained, and/or disclosed personal information" entered into its apps, which target young gamers--the complaint adds the developer collected and maintained a list of more than 30,000 e-mails as well as personal information from roughly 600 users.

Fasten your seatbelts: The Broken Thumbs ruling is likely just the beginning. Last week the FTC outlined a series of revisions to the decade-old Children's Online Privacy Protection Act (or COPPA), proposing a dramatic revamp that would cover smartphone apps, social media sites and other recent technological advances inadequately addressed by existing regulations. COPPA requires companies to obtain parental consent before collecting any personal data about a child under age 13--the FTC wants to dramatically expand the definition of personal information, at the same time mandating that digital services that collect a child's data must securely protect it, keep it "for only as long as is reasonably necessary" and then delete it. The FTC also wishes to update how companies and services obtain parental consent, transitioning beyond the current two-step e-mail and authorization process to mandate scanned versions of signed consent forms and videoconferencing.

The FTC cited "an explosion in children's use of mobile devices, the proliferation of online social networking and interactive gaming" as catalysts behind its decision to update the legislation. FTC chairman Jon Leibowitz described children as "tech-savvy, but judgment-poor," adding "We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses."

The FTC will accept written comments about the proposed COPPA overhaul until Nov. 28, and at least until then, a significant number of questions about the new legislation remain. But mobile developers should brace for profound changes says Susan Lyon, special counsel at business and litigation law firm Cooley LLP and co-chair of its Privacy practice group. "Applications that are attractive to children brought this issue to the attention of the FTC, especially apps built around location and the ability to track children," Lyon tells FierceDeveloper. "There are significant concerns about any technologies that can identify where a child might be located."

According to Lyon, the most dramatic change facing mobile app developers derives from the FTC's steps to redefine what the concept of "personal information" entails. The commission proposes including not only a child's email address but also "any other substantially similar identifier that permits direct contact with a person online," e.g. an IM name, a video chat name or a VoIP identifier. At the same time, the FTC would not consider screen names or usernames used solely to support internal operations to fall under the "personal information" umbrella--nor would it include persistent identifiers like IP addresses, customer numbers in cookies, processor or device serial numbers, or unique device identifiers if they are dedicated exclusively to supporting internal operations. "The proposal is unclear about whether the use of analytics information in apps is covered under the internal operations exception," Lyon says. "It's an open question for app developers, especially those using analytics to work hand-in-hand with carriers and device manufacturers."

The FTC also seeks to expand personal information to encompass any identifiers that connect a child's activities across different websites or digital services (described as "a catch-all category covering the online gathering of information about a child over time for the purposes of either profiling or delivering behavioral advertising to that child"). Also slated for inclusion: Photographs, videos, or audio files containing a child's image or voice (updating the current COPPA standard that includes photographs only when combined with "other information such that the combination permits physical or online contacting") along with geo-location data sufficient to pinpoint a street name along with the name of the corresponding city or town.

Buried within the FTC proposal is another item Lyon says demands closer scrutiny: A reference to "multiple operators" of a website or online service, which she says could suggest joint liability shared among developers and partners like mobile advertising services. "It's very unclear whether both can be liable," she admits. "The FTC proposal doesn't provide much guidance--for example, it doesn't describe what would trigger an ad network to be liable under COPPA. And what if the mobile app developer isn't aware a mobile ad network partner is collecting data, or if the mobile ad network isn't aware of what the app is doing? It's a parenthetical mention, but it warrants a lot of attention."

Still another slippery question: Just what constitutes mobile content aimed at children, anyway? "Look at Angry Birds--you might think it's a kids' game, but you know and I know that many adults enjoy it," Lyon says. "There are many games that look to be made for children that aren't. There's such a blurring of lines. What's the answer--voluntary labeling? Is age-gating sufficient, or do you have to quarantine content? [The FTC] raises so many questions."

Which is why the true impact of the COPPA revamp may remain unknown for some time to come, but make no mistake: It will change the rules of the game. "If your app is not directed to children, an easy way to avoid COPPA is not to gain knowledge of children's personal information or have connections with any third-party services directed to children," Lyon says. "For others with animated content or games, you need to look more closely at the [proposed] rules and determine whether this affects the data you're collecting. The FTC is clearly focused on this area. Everyone in the mobile space should be paying attention." -Jason